Incident i20140625.1
- Incident Number: i20140625.1
- Status: execution
Incident Manager: BenediktHeintel
- Date of incident opened: 2014-06-27
- Date of incident closed: 201Y-MM-DD
Incident title: Data Privacy breach & potential abuse of power
History Log
- 2014-06-27: Incident i20140625 added, documentation to be done
2014-07-05: Incident documentation private part
- 2014-07-10: Updated incident documentation
- 2014-07-12: Added Corrective and Preventive Actions
- 2014-07-12: Board informed about incident and asked for approval (until 2014-07-20) and execution (until 2014-08-09)
2014-07-13: Arbitration opened the case a20140712.1
- 2014-07-13: Board approved the Incident and the proposed preventive actions
- 2014-07-15: Corrected the Incident Description and updated the Root Cause
2014-11-30: Finding #4 was validated by Arbitration in a20140624.1
1. Incident Response Team
- Internal Auditor
iCM of arbitration case a20140624.1
2. Incident Description
The initial Case Manager of arbitration case a20140624.1 consulted the internal auditor based on that case by e-mail. Since the e-mail compromises several sites of e-mail conversation between a community member and a support person, only the summary is cited here; the full anonymised text provided to Audit is documented in Arbitration Case (access for Arbitration and Audit only). The affected person are unknown to the internal Auditor.
- some action of the Support member to get the member to reveal more details about his person, including the demand to hand him over what is written in his official documents - without any authority given by arbitration - the support member giving warnings to members - without any authority given by an arbitration case - the support member requiring from the member to not use his account, until further notice and especially not getting assurances or issuing certificates - the support member refusing to delete the account of a member as requested because he favours another solution - a privacy breach when forwarding all name details of a member and all assurance details of multiple assurances to an arbitrator who did not have an arbitration case in this direction running
The summary (proven by the e-mail itself) contains a data privacy breach and potentially abuse of power.
3. Containment Actions
No action was done to contain the incident, there is no current danger of expansion in this case.
4. Root Causes
- The community member requests to delete one of his CAcert accounts.
- The supporter asks for the e-mail addresses of the other accounts.
Finding 1: To execute the delete this information is not required and should not be requested ("need to know").
- The member provides the second e-mail address and requests to delete the first account.
- The supporter looks up the second account and proposes to delete this.
Finding 2: The member did not ask the supporter to look up the second account, nor an arbitrator did, nor a precedence case gives him the right to do so. The supporter violates § 8 in conjunction with § 9 Privacy Policy.
- The member again asks to delete the first account.
- The supporter contacts and blames two assurers for unlawful behaviour, who assured the member twice on each account.
Finding 3: The supporter again violated § 8 in conjunction with § 9 Privacy Policy when looking up the e-mail addresses of two assurers.
Finding 4: There is no rule in CAcert, that one assurer cannot assure an assuree several times. Since the supporter does not give any information on what basis he judges, an abuse of power is presumed.
- The supporter forwards two e-mail of the member and one email written by himself from former conversation with the member without anonymisation to an arbitrator. The emails contained names, e-mail addresses, dates and locations of several assurances.
Finding 5: The supporter violates a third time § 8 in conjunction with § 9 Privacy Policy; even if the recipient is an arbitrator, the further rights of § 9 Privacy Policy only apply if the arbitrator would have acted in a duly filed dispute.
- A second supporter filed a dispute.
To sum it up, the supporter
violated § 8 in conjunction with § 9 Privacy Policy three times and
abused his power as supporter to request additional information and provide false information (to be verified by arbitration case a20140624.1).
5. Permanent Corrective Actions
Dispute a20140712.1 was requested:
Dear Arbitrators, As CAcert's internal Auditor, I would like to open a dispute against the supporter S1 (private data unknown to me) from arbitration case a20140624.1's anonymised mail collection [1]. Reasons: Audit got aware of a massive data privacy breach and abuse of supporter power by S1, documented in i20140625.1 [2]. Audit has not the tools and power to prosecute an individual based on his/her misbehaviour. Therefore, I'd would like to ask arbitration to take over the case and handle the individual prosecution against S1. Supporter S1 * violated § 8 in conjunction with § 9 Privacy Policy [3] three times and * abused his power as supporter to request additional information and provide false information (to be verified by arbitration case [4]). Best Regards Benedikt [1] https://wiki.cacert.org/Arbitrations/priv/a20140624.1/AnonymSupportCase [2] https://wiki.cacert.org/Audit/Incidents/i20140625.1 [3] http://www.cacert.org/policy/PrivacyPolicy.html [4] https://wiki.cacert.org/Arbitrations/a20140624.1
6. Verify Corrective Actions
7. Preventive Actions
The internal Auditor recommends the following preventive actions:
- Train the Support team in data protection
- Oblige core team members (auditable) on data privacy
- Add a data privacy test to CATS with privacy related questions and make the repetition of the test mandatory after two years for all core team members
Board decided to install following preventive actions:
moves 1) that board takes steps to ensure that each CAcert team member of Support, SE, Arbitration, Infrastructure honours CAcert's Privacy Policy and prove the understanding of named policy by repeating a PP CATS Test yearly, 2) the change has to be retained in accordant policies via Arbitration and Policy group, and 3) the required CATS test is prepared under the responsibility of the Education Team
8. Approval & Closure
Approved |
2014-07-13 in m20140713.1 |
Date closed |
|